"""Tests for session-backed authentication routes."""


class TestAuthRoutes:
    def test_csrf_bootstrap_returns_token(self, client):
        response = client.get('/api/auth/csrf')

        assert response.status_code == 200
        assert isinstance(response.get_json()['csrf_token'], str)
        assert response.get_json()['csrf_token']

    def test_register_success(self, client):
        response = client.post(
            '/api/auth/register',
            json={'email': 'user@example.com', 'password': 'secretpass123'},
        )

        assert response.status_code == 201
        data = response.get_json()
        assert data['user']['email'] == 'user@example.com'
        assert data['user']['plan'] == 'free'
        assert data['user']['role'] == 'user'

    def test_register_assigns_admin_role_for_allowlisted_email(self, app, client):
        app.config['INTERNAL_ADMIN_EMAILS'] = ('admin@example.com',)

        response = client.post(
            '/api/auth/register',
            json={'email': 'admin@example.com', 'password': 'secretpass123'},
        )

        assert response.status_code == 201
        assert response.get_json()['user']['role'] == 'admin'

    def test_register_duplicate_email(self, client):
        client.post(
            '/api/auth/register',
            json={'email': 'user@example.com', 'password': 'secretpass123'},
        )
        response = client.post(
            '/api/auth/register',
            json={'email': 'user@example.com', 'password': 'secretpass123'},
        )

        assert response.status_code == 409
        assert 'already exists' in response.get_json()['error'].lower()

    def test_login_and_me(self, client):
        client.post(
            '/api/auth/register',
            json={'email': 'user@example.com', 'password': 'secretpass123'},
        )
        client.post('/api/auth/logout')

        login_response = client.post(
            '/api/auth/login',
            json={'email': 'user@example.com', 'password': 'secretpass123'},
        )
        me_response = client.get('/api/auth/me')

        assert login_response.status_code == 200
        assert me_response.status_code == 200
        me_data = me_response.get_json()
        assert me_data['authenticated'] is True
        assert me_data['user']['email'] == 'user@example.com'

    def test_login_invalid_password(self, client):
        client.post(
            '/api/auth/register',
            json={'email': 'user@example.com', 'password': 'secretpass123'},
        )
        client.post('/api/auth/logout')

        response = client.post(
            '/api/auth/login',
            json={'email': 'user@example.com', 'password': 'wrongpass123'},
        )

        assert response.status_code == 401
        assert 'invalid email or password' in response.get_json()['error'].lower()

    def test_me_without_session(self, client):
        response = client.get('/api/auth/me')

        assert response.status_code == 200
        assert response.get_json() == {'authenticated': False, 'user': None}

    def test_register_rejects_invalid_csrf_token(self, client):
        response = client.post(
            '/api/auth/register',
            json={'email': 'csrf@example.com', 'password': 'secretpass123'},
            headers={'X-CSRF-Token': 'invalid-token'},
        )

        assert response.status_code == 403
        assert 'csrf' in response.get_json()['error'].lower()